cs851  Fall 2007

cs851: Web Application Security Seminar

Schedule | Papers | Conferences

News

• Project Presentations:
  • Steven Baker, Steganalysis with Streamwise Feature Selection [PDF] [PPT]
  • Yan Huang, Multi-Core Tainting [PDF] [PPT]
  • Krasimira Kapitanova, The New Virtual Organization Membership Service (VOMS) [PDF] [PPT]
  • Duane Merrill, Practical Privacy with LARGE Databases [PDF] [PPT]
  • Sang-Min Park, Automated, Least-Privilege Grid Delegation [PDF] [PPT]
  • Hong Pham, Binary Context-Sensitive Recognizer (BCSR) [PDF] [PPT]
  • Chris Sosa, Blake Sutton (and Howie Huang), The Super Secret File System [PDF] [PPT]
  • Isabelle Stanton, Preserving Privacy and Social Influence [PDF] [PPT]

• 14 November: The paper for Tuesday is:

  Jonathan M. McCune, Bryan Parno, Adrian Perrig, Michael K. Reiter, and Arvind Seshadri. Minimal TCB Code Execution (Extended Abstract). IEEE Symposium on Security and Privacy, May 2007.

  A related paper on how "trusted computing" technologies fail is:

  Bernhard Kauer. OSLO: Improving the security of Trusted Computing. 16th USENIX Security Symposium, Boston, MA, USA, August 6-10, 2007.

• 5 Novemeber: Here is the information for the debates this week:

  Tuesday, 6 November (Googlization)
  Affirmative Statement, Witnesses, and Documents [PDF]
  

  Negative Statement, Witnesses, and Documents [PDF]

  Thursday, 8 November (Net Neutrality)
  

  Position statement
  Internet Service Providers (ISPs) may not offer differing quality of service (QoS) on the basis of the source or nature of the content being delivered to subscribers. ISPs may offer differing QoS to subscribers (in terms of bandwidth and latency) that are independent of the nature of the content.

  Witnesses
  1. Vint Cerf
  2. Spokesperson for ISPs
  

  Documents
  

  1. Prepared Statement of Vinton Cerf, US Senate Committee on Commerce, Science, and Transportation, Hearing on "Network Neutrality", February 7, 2006. http://commerce.senate.gov/pdf/cerf-020706.pdf
  2. Daniel J. Weitzner, The Neutral Internet: An Information Architecture for Open Societies [PDF]
  3. Robert Hahn and Scott Wallsten, The Economics of Net Neutrality, Economists' Voice, June 2006. [Link only works within UVa]
  4. Jon Crowcroft, Net neutrality: the technical side of the debate: a white paper, ACM SIGCOMM Computer Communication Review, January 2007.

  Negative Team

  Witness: Robert Kahn

  Documents:

  1. Gerald Faulhaber, David Farber, Michael Katz, and Christopher Yoo. Common Sense About Network Neutrality [PDF]
  2. William Taylor, Freedom, Regulation, and Net Neutrality [PDF], September 2007.
  3. Robert Hahn and Robert Litan. The Myth of Network Neutrality and What We Should Do About It [PDF]. International Journal of Communication, 2007.
  4. The Consumerist. "Leaked" Comcast memo.
  5. How the Law & the Courts ALREADY Protect The Open Internet
  6. Hands off the Internet. Online Overload: How To Cope With The Data Tidal Wave Hitting the Web [PDF]
  7. NetCompetition.org. Net Neutrality Fact Sheet [PDF].

• 29 October: I am at CCS this week, so will not have office hours and there will not be seminar meetings. You should take advantage of the seminar time to meet with your groups for the debate.
• 23 October: I will be late to my office hours Wednesday morning, but will be around sometime later in the morning.
• 18 October: The paper for Tuesday (October 23) is:

  Y. Wang and P. Moulin. Optimized Feature Extraction for Learning-Based Image Steganalysis. IEEE Trans. Information Forensics and Security, Vol. 2, No. 1, March 2007.

• 16 October: The paper for Thursday (October 18) is:

  Gilad Mishne, David Carmel, Ronny Lempel. Blocking Blog Spam with Language Model Disagreement. AIRWeb 2005.

• 12 October: Here is the information from the syllabus on what your project proposals (due Tuesday) should include:
  • Clear Statement of the Problem — what question is your project seeking to answer? If your project is successful, what will the research community know after you are done that it does not already know.
  • Motivation — why is your problem interesting and important?
  • Related Work — this doesn't need to be complete yet, but should be enough to show the problem is relevant and interesting and make it clear what has and has not already been solved by other researchers. You should make sure to relate the related work to your project, not just summarize a lot of papers you have read. For every work you describe, your related work section should explain clearly why it is relevant to what you want to do.
  • Research Plan — concrete description of what you plan to do. Your research plan must include clear milestones for every week until the end of the project. If your project involves more than one person, it should also explain how you are dividing and managing the work in your team.
  • Evaluation — description of how you will decide if the project is successful. How do you know if you have answered the problem question? Note that your project does not need to be a successful research project to satisfy the requirements for the course project, but you do need some way of evaluating the success of your project.
  We expect most project proposals will be about 5 pages long, but there is no strict length requirement or expectation.
• 12 October: The focus paper for 16 October is:

  Wei Xu, Sandeep Bhatkar, and R. Sekar. Taint-Enhanced Policy Enforcement: A Practical Approach to Defeat a Wide Range of Attacks. 15th USENIX Security Symposium, Vancouver, BC, Canada, August 2006.

  You don't need to turn in response questions, but as you read the paper think about possible malicious information flows that would not be detected by this approach.
• 11 October: I will not be able to hold my usual office hours on Monday, October 15. I will be around later in the day though.
• 8 October: The focus paper for 11 October is:

  Andrew Bortz, Dan Boneh, Palash Nandy. Exposing Private Information by Timing Web Applications. WWW 2007.

• 26 September: The focus paper for 2 October is:

  Yabo Xu, Benyu Zhang, Zheng Chen, Ke Wang. Privacy-Enhancing Personalized Web Search. WWW 2007.

• 24 September: The focus paper for 27 September is:

  Arati Baliga, Joe Kilian and Liviu Iftode. A Web Based Covert File System. HotOS 2007.

  Choose either one of these response questions:
  • (Choice 1) This response question is inspired by Daniel Olson's talk Monday (but even if you missed the talk you should be able to think about answering it):

    Is there a manual equivalent of a covert file system that a criminal could use to hide data in a way that provides a similar level of plausible deniability as CovertFS (without requiring any non-human devices to maintain and access files)?

  • (Choice 2) The paper suggests using local caching and forwarding pointers to avoid hotspots. Are these methods sufficient?
• 20 September: The focus paper for 25 September is:

  Moritz Becker, Cedric Fournet, Andrew Gordon. Design and Semantics of a Decentralized Authorization Language. Computer Security Foundations Symposium 2007. [SecPAL Page]

  Choose either one of these response questions (but one you can write an interesting answer to):

  Choice 1: This posting (http://lambda-the-ultimate.org/node/1728#comment-21104) hypothesizes that the only SecPAL policy likely to be used is the policy "True" that allows all access. Do you agree? Explain why or why not.

  Choice 2: This paper targets grid computing applications, rather than standard web applications. How are the delegation issues in grid computing related to those for web applications (consider especially mashups)?

• 12 September: The focus paper for 20 September is:

  Lars Backstrom, Cynthia Dwork, Jon Kleinberg. Wherefore Art Thou R3579X? Anonymized Social Networks, Hidden Patterns, and Structural Steganography. WWW 2007.

  Section 2.2 is quite difficult to understand — try to read it and understand as much as possible, but don't be distressed if you can't follow the analysis completely.

  There is only one response question:

  The paper proposes two attacks on social networking graphs. What might you do to the graph that would always foil one or both of the attacks while still maintaining utility of the graph? We define utility as roughly preserving global statistics like average degree, average path length, diameter etc. Give some justification for why your method foils the attack while still preserving the needed global statistics.

• 12 September: The focus paper for 18 September is:

  Alexander Moshchuk, Tanya Bragin, Damien Deville, Steven D. Gribble, and Henry M. Levy. SpyProxy: Execution-based Detection of Malicious Web Content. USENIX Security 2007.

  Here are some questions to think about for this paper:
  1. The paper mentions an attack that could use non-determinism to cause SpyProxy to fail 50% of the time. What are some other threats that could slip through the cracks of this execution-based approach?
  2. What problems or benefits could arise from widespread deployment of SpyProxy on the web? How would this deployment work?
• 6 September: The focus paper for 13 September is:

  Benjamin Livshits and Monica S. Lam. Finding Security Vulnerabilities in Java Applications with Static Analysis. USENIX Security 2005.

  Here are the questions:
  1. This paper targets similar vulnerabilities to the Wassermann and Su paper last week, but define SQL injections in quite different ways. Explain which definition is better and why.
  2. In the paper, the authors use PQL to express the so called "tainted object propagation problem" and look for instances of it in real applications. Are there other problems (security related or otherwise) that might be susceptible to this technique?
  A related paper of interest:

  Michael Martin, Benjamin Livshits, and Monica S. Lam. Finding Application Errors and Security Flaws Using PQL: a Program Query Language. Conference on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA), October 2005.

• 6 September: The focus paper for 11 September is:

  Ian Fette, Norman Sadeh, Anthony Tomasic. Learning to Detect Phishing Emails . WWW 2007. Here are the questions for Tuesday's paper:

  1. Are the ten features (Section 3.2) used for email classification enough to solve the phishing problem? Can you think of some other feature that is common to phishing emails and that the authors failed to consider?
  2. Suppose you are recruited to the dark side and hired to develop a phishing attack that will get through PILFER. Explain how you would develop a successful phishing attack?

  You do not need to answer the generic questions for this paper, just the two questions above.

• 1 September: I rescheduled my office hours to be Wednesdays, 9:30-10:30am (instead of after class Tuesdays). I can still meet after class most days, but will have the scheduled Wednesday office hours, as well as Mondays, 10:30-11:30am.
• 1 September: The focus paper for 6 September is:

  Gary Wassermann and Zhendong Su. Sound and Precise Analysis of Web Applications for Injection Vulnerabilities. PLDI 2007

  The response questions:
  1. What are the most important novel contributions of the work?
  2. The authors claim that their algorithm can track the possible values of string variables across loops, function calls, etc. In general this problem is undecidable. What simplyfying assumptions do the authors make to get around this?
  3. The authors claim that their analysis is sound, i.e. it will always find an SQLCIV if there is one. Do you agree with this claim? If so, explain succinctly why no SQLCIV could escape their analysis; if not, give an example of a SQLCIV that would not be detected.
• 31 August: The focus paper for 4 September is:

  Shuo Chen, David Ross, and Yi-Min Wang. An Analysis of Browser Domain-Isolation Bugs and A Light-Weight Transparent Defense Mechanism. ACM CCS 2007.

  In your responses, answer the standard questions 1-3 below. For the fourth question, answer either one of these two questions:
  • (choice a) Section 6.2 argues that XOR probing attacks are impossible against the proposed mechanisms, but doesn't consider other types of attacks such as the attacker's code being able to learn the key from analyzing its accented code or accented references. Identify other possible attacks on their mechanism, and explain what an attacker would need to be able to do to succeed.
  • (choice b) This paper is focused on supporting an all-or-nothing same origin policy. Suppose we want to support the kinds of mashups described in the MashupOS paper. Can the mechanisms proposed in this paper be adapted to support richer sharing policies?
• 29 August: Schedule, Papers, and Conferences are now posted.
• 28 August: Syllabus [PDF], Intro Slides [PPT]
• 28 August: The focus paper for 30 August is:

  Helen Wang, Xiaofeng Fan, Jon Howell, Collin Jackson. Protection and Communication Abstractions for Web Browsers in MashupOS. 21st ACM Symposium on Operating Systems Principles (SOSP), October 2007.

  Your responses should include short answers to these 5 questions:
  1. What problem does this work attempt to solve?
  2. What are the most important novel contributions of the work?
  3. What change or enhancement would most significantly improve the work?
  4. How does the current mashup model facilitate cross-site scripting attacks?
  5. In what ways is a ServiceInstance similar to and different from an operating system process?
• 28 August: If you have not previously read this paper, you should read it soon for background and perspective:

  Jerome Saltzer and Michael Schroeder. The Protection of Information in Computer Systems. SOSP 1973.

Seminar Description

Theme: Web applications connect people and applications in complex and dynamic ways, presenting new vectors for rapid attack and subtle channels for privacy compromise. This seminar will focus on security vulnerabilities, threats, and defenses for web applications including mashups and dynamic social networks, and technologies such as Ajax and Flash.

Expected Background: The seminar is open to both graduate students and ambitious undergraduates (with permission). Students in the seminar are expected to have enough background in theory, cryptography, operating systems, security, and networks to be able to understand research papers from recent security, networking, and operating systems conferences. Students lacking relevant background will need to supplement the seminar readings with additional material.

Requirements

Each student will be expected to:

• lead a seminar meeting on one topic (with help of one or more other students)
• assist a student who is leading a seminar meeting
• write short reviews/responses to seminar papers
• complete a semester project (alone, or with a small team)

cs851: Web Application Security
University of Virginia evans@virginia.edu